Trust,by construction.
One page for your security team — isolation enforced where the data lives, an audit trail you can't bypass, and an AI that proposes but never decides.
AI proposes. Humans decide.
The first AI-native procurement question is whether the AI can alter your safety records. It cannot — not on its own, and not through the API.
When the AI wants to change a record, it stops and shows a one-click approval card. Nothing is written until someone accepts it — the AI cannot act on its own.
A low-confidence suggestion, or one that falls outside your taxonomy, is queued for a human to review. It is never silently written into a safety record.
What the AI proposed, and what the person did with it, is written to a decision ledger the database itself constrains — a defensible trail of human oversight, not a black box.
Workflow stage and governance state — closures, approvals, sign-offs — are reserved for people. No AI, and no API call, can set them. Only a human can.
Reporters stay protected.
ICAO Annex 19 protection is built into the platform — held through the queue, notifications, partner sharing and the AI.
A reporter can file anonymously or in confidence. In those modes the identity is dropped at write time — not encrypted and held, but unrecoverable by design.
Reports carry a protected, restricted or confidential tier. Who can open each tier is a role allowlist plus explicit, granted clearance — not an honour system.
The same clearance gates the personal queue, notifications, partner sharing and the AI copilot. A report you are not cleared for simply is not there, even if you ask the AI.
A closed occurrence can become a de-identified safety bulletin — names, tail numbers and dates scrubbed, a person approves it — so the lesson travels and the reporter does not.
Five layers. The database has the last word.
One database, every operator separated — if any one layer fails, the next still holds. The deepest layer is the database itself.
Each server-side request is filtered to the calling operator's organisation. Middleware runs on every request — no endpoint touches data without an organisation in context.
Each query against shared data includes the operator's organisation as part of the condition. A continuous integration gate blocks any new endpoint that lacks the filter.
Scheduled and background jobs wrap every operation in a single-organisation context that resets between operators — even cross-operator reporting cannot read across the line.
The database roles that face the outside world can read no operator data at all. Even a leaked public client key reads nothing across operators — the path is shut at the database, not just the app.
Database-enforced isolation is live in production across 119 organisation-scoped tables, against an application role that has no power to bypass it. A query missing your organisation returns zero rows at the database edge — so a single app bug cannot expose another operator's data.
A trail you can't bypass.
Every server-side change writes an audit entry in the same database transaction as the change itself — so the record and its log commit together, or not at all. The trail is tamper-evident, and there is no path that skips it.
A self-serve viewer inside your tenant lets you filter by who, what, which record and when, and export to JSON or CSV for your auditor.
365 days by default, with per-tenant controls — within the regulatory minimums set by your civil aviation authority.
Enterprise identity, end to end.
Sign in the way your identity provider works, and govern every session.
Passkeys (Touch ID, Windows Hello, a hardware key) or authenticator codes. An admin can reset a locked-out user's second factor.
Each user sees their active sessions and their last sign-ins, and can sign out everywhere in one click. Admins can require single sign-on for the whole organisation.
Automation can't skip sign-off.
The API and AI connectors are open — and run the same checks as the screen, with no shortcut around governance.
The REST API, the AI connector and the agent connector all run the exact same checks as the screen: who are you, are you within limits, can you see this organisation's data, are you allowed, and write it to the audit log.
Workflow and governance state cannot be set through any machine surface. An integration or an AI assistant moves data; only a person closes a record or signs it off.
The AI connector uses standard registration with proof-key exchange, single-use codes, short-lived access and rotating refresh. Your team consents once; the link acts as that user, with that user's exact permissions.
Every webhook is signed so the receiver can verify it really came from us, and every destination is checked against a safe-egress blocklist — loopback, private ranges and cloud-metadata addresses are refused.
Canada. Single region.
At rest + in transit
- Database — AES-256 encryption, isolated per operator
- File storage — AES-256 object encryption
- Secrets (webhook secrets, API keys) — hashed at rest; shown in full once, at create
- TLS 1.3 enforced edge to origin
- Strict transport security — 1-year max age, all subdomains
- Outbound webhooks signed so the receiver can verify them
Who touches your data
The service categories in the processing chain. Vendor names + agreements in Privacy 09 + Terms 09.
Where we stand
Built to support audits by national civil aviation authorities — FAA Part 5 safety management, EASA Part-ORO, Transport Canada CAR 705, ICAO Annex 19. The audit trail, retention controls and reporter-confidentiality model are designed for a regulator showing up with a notebook.
A degraded barrier requires a linked corrective action; the record can't close until that action passes an effectiveness check; accepting residual risk requires a two-person, co-signed waiver. The discipline a regulator expects is enforced by the system, proven by a 13-of-13 live-cluster scenario suite — not left to good intentions.
We are running our SOC 2 Type 2 readiness work. We do not claim a certificate we don't hold — the controls above stand on their own, by construction. Procurement teams that need a pre-audit questionnaire response can ask for the control matrix on the walkthrough.
A data-processing agreement is available on request, with standard contractual clauses for cross-border transfers to the sub-processor regions listed above.
Export everything, any time
Your data is yours. Trigger a full export whenever you want — nothing locks you in.
A full export builds a complete bundle of every record in your tenant — occurrences, hazards, indicators, actions, audits, investigations, documents, training records and the full audit log. It is built in the background and delivered as a 7-day signed download link by email, available as JSON, CSV, Parquet or PDF, and also through the REST API. Re-importable into any other vendor, or kept for your own archives. No support ticket required.
Found something? Tell us.
Email security@eaviora.com with reproduction steps, the affected tenant (your tenant ID is enough), and your preferred disclosure window. We acknowledge within 24 hours, ship a fix or mitigation within 7 days for the most severe issues, and credit you in the advisory unless you ask us not to. We do not litigate good-faith research.
Hand this to your security team.
We'll cover the rest live.
The questionnaire is mostly answered above — isolation, audit, AI governance, confidentiality, identity. Bring the open questions to a 30-minute walkthrough with the founder.